Scott,
This is my top portion of my virus.cfg file under i7 and i8.
Keith
-----Original Message-----
From: Keith Johnson on behalf of Keith Johnson
Sent: Wed 3/3/2004 8:10 AM
To: [EMAIL PROTECTED]
Cc:
Subject: RE: [Declude.Virus] New interim Declude Virus Pro to block bogus
.bat, .com, .pif, and .scr files
Scott,
This is a 'top' sample of what I have listed in my Virus.CFG file:
BANEZIPEXTS ON
BANZIPEXTS ON
BANEXT exe
BANEXT ex_
BANEXT pif
BANEXT pi_
BANEXT scr
BANEXT sc_
BANEXT bat
BANEXT ba_
BANEXT com
BANEXT co_
Since we modify extensions at our Firewall, you see the different
alternate extensions above. I made no modifications to the above moving to i8. I
noticed in my log (tried MID and HIGH) after moving to i8 that I no longer saw any
Banning extension with (EXT) lines. Thus, I got concerned. On average, we get a
virus every few seconds, and moving back to i7, within a minute, I was catching the
banned extension inside of zip's again. When I was on i8, I did a simple test of
zipping an Eicar .com virus and password protecting it. I ran it through and it went
straight to my inbox. I then dropped back to i7 and ran the same file through and it
was picked up and logged, however, the directory couldn't be removed. Thus, this
morning I had well over 200 plus .vir directories to delete. Any thoughts? Thanks
for the aid.
Keith
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of R. Scott Perry
Sent: Wed 3/3/2004 7:57 AM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [Declude.Virus] New interim Declude Virus Pro to block bogus
.bat, .com, .pif, and .scr files
>I'll second that. Running 1.78i8, with BANZIPEXTS and BANEZIPEXTS ON,
the
>encoded zip eicar test passes through. The regular zip version of the
eicar
>test is caught.
Just to clarify, this IS the expected behavior with 1.78i18.
BANZIPEXTS ON and BANEZIPEXTS ON will *only* block .ZIP files *if* they
contain files that have a banned file extension. So unless you also
have a
line "BANEXT com" in the virus.cfg file, an encrypted eicar.com file
won't
get caught.
For others having issues with these new features, please be very clear
what
is happening. There are a lot of possibilities here. You'll need to
specify [1] Whether you are using BANZIPEXTS ON or BANEZIPEXTS ON (or
the
not-recommended-but-still-useful BANEXT EZIP), [2] Whether you have a
BANEXT line to block the appropriate file (BANEXT com, for example),
[3]
What type of file you are sending through (.com? .com within a .zip?),
[4]
If it is a .ZIP file, is the file inside it encrypted?
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers
since 2000.
Declude Virus: Catches known viruses and is the leader in mailserver
vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
<<winmail.dat>>
